Management of Active Directory is commonly delegated to local or departmental administrators.  This means that certain individuals are (for example) granted permission to create user accounts and manage security groups within a given area of the directory.  Microsoft provides a built-in wizard (known as the Delegation of Control Wizard) to delegate these tasks which does the work of applying all the underlying permissions associated to the task.

For example, here are just a few of the many underlying permissions granted when you delegate the task [Create, delete, and manage user accounts] over an OU:

• List Contents
• List Object
• Delete Object
• Delete Subtree
• Read Permissions
• Read All Properties
• Modify Permissions
• Modify Owner
• etc.

There are potentially hundreds of underlying permissions for any given delegated task.  The challenge, therefore, lies in being able to understand and report-on which rights have been delegated over time.  How do you know who has been delegated those permissions?  How do you know when underlying permissions are updated after the wizard has applied the task?  Or when rights are applied directly without using the wizard?  How do you know who has rights to create accounts through their group memberships when groups may be several levels deep?

NetVision’s Access Rights Inspector has built-in ability for in-depth reporting on rights over Active Directory objects and that includes reporting on the tasks delegated via the Delegation of Control Wizard.  It provides extremely useful reports and removes the guesswork and manual effort associated with understanding what tasks have been delegated throughout Active Directory.

NetVision has heard from its customers loud and clear that the holy grail of compliance reporting is enabling actual answers rather than just piles of data.  In this SC Magazine article, titled Answers, Not Data: The Key to Access Security, NetVision CEO David Rowe explains how next generation compliance solutions will be focused on answers and continuous audit rather than periodic audits that generate confusing or obfuscated data sets.

At NetVision, we hear from numerous organizations who are looking for help with cleaning up permissions that have gotten out of control over time.  David Rowe explains the challenges and provides some tips on how to tackle the job in this ESJ article titled Coming Clean: Getting a Handle on Permissions and Group Memberships.

We’re looking for an experienced engineer to help with software builds, installation, and configuration management.  More details here.

Today, NetVision announced our partnership with Sparxent.  More details here.

Quoted from the release:

“Today’s enterprises are strapped for resources and very often lack the expertise needed to meet compliance and audit demands,” said David Rowe, CEO of NetVision, Inc. “We’re pleased to be partnering with a value-add solutions developer like Sparxent who brings a true ground-level understanding of the business challenges related to audit and compliance. We see Sparxent as an integral part in extending our reach here and in the EMEA, where our customers will receive hands-on, localized support professionals to help them improve their audit results.”

As one of the few vendors who evaluate both access-related events and states we’re always looking for meaningful ways to combine the two. By some definitions this is called “context”. I think that’s too scientific; defining the combination of data points as providing context when in fact - it’s simply the answer. I say this based on increasingly frequent discussions with prospective customers who - rightly - say, “well, if you have this very rich information it’s very titillating but what I’m really after is…..[pick your daily job-related outcome].” So, I hypothesize, that data from a SEIM or a query tool or any other mechanism is simply data if provided without context. And with the right context it’s merely the answer. Here’s a new tagline. “Expect Answers”

A recent edition of NetVision’s monthly newsletter AuditMonthly discussed the issues of permission bloat and group clean up.  There are some focus areas outlined in one of our solutions pages: Active Directory Group Clean Up.  We can help you get your arms around the issue, identify low hanging fruit, and clean things up.

There’s a new white paper on the NetVision Knowledge page titled:

The Business Value of Effective Audit

Effective access auditcan be a powerful business enabler providing significant value beyond protecting against malicious insiders. This paper identifies the business challenge, how the industry is approaching the challenge, and NetVision’s unique approach to access rights reporting and monitoring.

NetVision will soon be announcing availability of our Microsoft Exchange monitoring capabilities.  Indepent of Microsoft event logs, this solution will enable you to monitor message, calendar, contact, and task activity.  Events can be triggered based on whether the initiator is the mailbox owner as well as event filtering by subsets of users.  So, for example, if a help desk user sends a message from your CEO, you might want to take different action than if the CEO’s assistant sends a message from that account.

If you’d like us to keep you updated on the Exchange monitoring release, please let us know.

NetVision today released an updated version of Access Rights Inspector Single Server Edition.  The new version applies a fix to issues related to large volume size and the initial file/folder rights scan.  The SSE version is a free 30-day trial providing access rights reports on a single server. 

Access Rights Inspector SSE enables users to select user accounts/groups and files/folders to generate custom reports on access rights based on those selections.

Available Reports include:

• Effective Rights: calculates permissions based on group memberships, inherited rights, ownership, and more.
• Explicit Rights: provides explicit permission settings for selected accounts and resources.
• Deny ACEs: provides a list of all locations where permissions are explicitly denied.

Click here to download a copy to get immediate reports on your server!